Security Flaws in Computer Hardware Rock Industry
Google researchers found vulnerabilities in modern computer processors made by leading chip companies; the problem with the chips represents a new class of possible attack.
Computer core processors using a "speculative execution" have a "serious security flaw," according to researchers from Google's Project Zero. The speculative execution functionality is "a technique used by most modern processors (CPUs) to optimize performance," according to Google’s Matt Linton, senior security engineer, and Matthew O'Connor, Office of the Chief Technology Officer. The flaws, dubbed "Spectre" and "Meltdown," make aspects of the computer memory vulnerable to cyber attacks. Project Zero researcher Jann Horn demonstrated in research that malicious actors could take advantage of the defect to read system memory that ordinarily should be inaccessible, Google said.
"For example, an unauthorized party may read sensitive information in the system’s memory such as passwords, encryption keys or sensitive information open in applications," Google stated. "Testing also showed that an attack running on one virtual machine was able to access the physical memory of the host machine, and through that, gain read-access to the memory of a different virtual machine on the same host."
Last week, leading chip companies, including Intel Corporation, Advanced Micro Devices, Incorporated (AMD), and Arm Limited, quickly tried to assuage the public’s fear that any product with a computer processor—including laptops, desktops, smartphones, tablets and other devices—would be affected.
"When AMD learned that researchers had discovered a new CPU attack targeting the speculative execution functionality used by multiple chip companies’ products, we immediately engaged across the ecosystem to address the teams’ findings," said AMD in a statement.
The industry had been working quietly to eradicate the problem after it was discovered by the researchers in June of last year. Together, they had agreed on a January 9, 2018 disclosure date to reveal the issues and outline the companies’ remediation steps. However, press reports last week forced the companies to publicly discuss the problem earlier than expected.
Almost as quickly, three separate class action lawsuits were filed against one of the companies, Intel, in U.S. District Court, alleging $15 billion in damages and demanding jury trials: in the Northern District of California, in San Jose; in the District of Oregon, in Eugene; and in the Southern District of Indiana, Indianapolis Division. The three filings have somewhat similar language in outlining the allegations.
In the California lawsuit, the plaintiffs asserted that the security defect renders the Intel x86-64x processor "unfit for their intended use and purpose." The defective processors expose users to "troubling security vulnerabilities by allowing potential access to extremely secure kernel data." To fix the vulnerability, Intel would have to make "extensive changes to the root levels of the operating system, which will dramatically reduce performance of the processor," the plaintiffs said. They maintained that the defect exists in all Intel x86-64x processors manufactured since at least 2008. The x86-64x CPU is, and was, utilized in the majority of all desktop and laptop computers and servers in the United States, the plaintiffs alleged.
Moreover, the lawsuits claim that Intel has been unable or unwilling to repair the defect or offer users a non-defective Intel processor or offer any reimbursement for the cost of a processor along with the "consequential damages arising from the purchase and use of such processors."
"Indeed, there does not appear to be a true 'fix' for the defect," the plaintiffs stated.
The suits in all three courts acknowledge that Intel’s material defect can be patched, but attest that the patching "materially" reduces the "advertised performance" of computers, smartphones and devices with the chip. "Therefore, the only 'fix' would be to exchange the defective x86-64x processor with a device containing a processor not subject to this security vulnerability," the California filing states. "Owners are left with the unappealing choice of either purchasing a new processor or computer containing a processor that does not contain the defect, or continuing to use a computer with massive security vulnerabilities or one with significant performance degradation."